Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp |
index c9dd09510cad457de3a815e15e8a6cca340ea468..1bac93999ae85d4e2494d426eefe1038806d9d8e 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp |
@@ -862,4 +862,45 @@ TEST_F(ContentSecurityPolicyTest, NonceMultiplePolicy) { |
} |
} |
+TEST_F(ContentSecurityPolicyTest, ShouldEnforceEmbeddersPolicy) { |
+ ResourceResponse response; |
+ response.setURL(KURL(ParsedURLString, "about:blank")); |
+ response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, |
+ AtomicString("not a valid header")); |
+ EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
+ response, secureOrigin.get())); |
+ |
+ // Same origin automatically should accept required CSP. |
Mike West
2016/10/17 14:54:28
I think this test would be clearer if it didn't re
|
+ response.setURL(KURL(ParsedURLString, "https://example.test/index.html")); |
+ EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
+ response, secureOrigin.get())); |
+ |
+ // Protocols do not match. |
+ response.setURL(KURL(ParsedURLString, "http://example.test/index.html")); |
+ EXPECT_FALSE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
+ response, secureOrigin.get())); |
+ |
+ // Different origin and invalid header. |
+ response.setURL(KURL(ParsedURLString, "https://different.test/index.html")); |
+ EXPECT_FALSE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
+ response, secureOrigin.get())); |
+ |
+ // Different origin and valid header but not equal to the embedder origin. |
+ response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, |
+ AtomicString("http://example.test")); |
+ EXPECT_FALSE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
+ response, secureOrigin.get())); |
+ |
+ // Different origin and valid header. |
+ response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, |
+ AtomicString("https://example.test")); |
+ EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
+ response, secureOrigin.get())); |
+ |
+ // Star should enforce any embedder's policy. |
+ response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, AtomicString("*")); |
+ EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
+ response, secureOrigin.get())); |
+} |
+ |
} // namespace blink |